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Quantum secret-sharing and quantum error-correction schemes rely on multipartite decoding 
protocols, yet the non-local operations involved are challenging and sometimes infeasible. Here 
we construct a quantum secret-sharing protocol with a reduced number of quantum communication 
channels between the players. Our scheme is based on embedding a classical linear code into a 
quantum error-correcting code. Our work paves the way towards the more general problem of 
simplifying the decoding of quantum error-correcting codes. 
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Secret sharing is a cryptographic protocol in which a 
dealer distributes a shared secret among a set of players, 
so that only certain authorized subsets can collabora- 
tively recover the secret. The protocol, first introduced 
by Shamir and Blakley [2], is important in any area 
that requires sharing of highly sensitive information, such 
as bank accounts, missile launch sequences etc. 

The quantum counterpart is a scheme in which the 
dealer distributes either a classical secret [3] (string of 
bits) or a quantum secret (quantum state) [1] to the set 
of players via quantum channels O [6] . Quantum secret- 
sharing is useful for distributing shared quantum keys, 
non-counterfeitable "quantum money" [T), distributed 
quantum computing secure quantum memory and 
multipartite quantum communication [9]. For the quan- 
tum secret-sharing protocol to be feasible, the dealer is 
assumed to be "powerful" - she can prepare arbitrary 
quantum states and reliably distribute them to the play- 
ers. The players have full access to universal quantum 
computers and can communicate among themselves via 
quantum channels so that only certain authorized subsets 
can recover (decode) the secret. The decoding operation 
is harder to implement than in the classical case, as it 
requires quantum communication which is expensive. 

Reducing the amount of quantum communication re- 
quired for the decoding can improve the efficiency of dis- 
tributed cryptographic protocols in which a subset of the 
players have restricted communication capabilities. Con- 
sider for example a quantum secret-sharing scheme with 
players divided into two subsets, one of which is com- 
putationally powerful (each player has access to univer- 
sal quantum computation and all players can use quan- 
tum communication) , whereas the other one is computa- 
tionally weak (each player has access to local universal 
quantum computers but the players can use only clas- 
sical communication between them). One such instance 
is a secret-sharing scheme between the Earth (the com- 
putationally powerful subset) and e.g. the International 
Space Station (the computationally weak subset). 
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Reducing the amount of quantum communication (i.e. 
reducing the number of non-local operations involved) 
also helps simplifying the decoding of quantum error- 
correcting codes |10|, lllj , which are of crucial importance 
for the construction of a real-world fault-tolerant quan- 
tum computer. 

In this article we solve the following problem. For 
a large class of quantum secret-sharing schemes con- 
structed from classical linear error-correcting codes |12) . 
we show that their decoding can be simplified by replac- 
ing some of the quantum channels among the players by 
classical ones. Inspired by the Calderbank-Shore-Stean 
(CSS) construction we embed a classical linear error- 
correcting code into a quantum code, then show that this 
embedding induces a quantum secret-sharing scheme in 
which all players have to collaborate to recover the se- 
cret. In this protocol some of the players are only re- 
quired to perform local measurements and share their 
measurement results via classical channels. 

We begin by considering an [n,k,d]q classical error- 
correcting code over Fg, the Galois field with q = p™ ele- 
ments, where p is prime and m is a positive integer. The 
parameter k denotes the number of encoded dits (gener- 
alization of a bit that allows holding more than 2 states) , 
n is the number of carriers and d is the distance of the 
code. We can represent such a code compactly using a 
k X n generator matrix G with elements in Fg. Each 
codeword (n-tuple in F^ [14 ) can then be written as 

X ■ G — y ^ XiGij, (1) 

where a; is a fc-tuple in F^', for a total number of code- 
words equal to , where the addition and multiplication 
in ([T]) are over the finite field F^. One can regard G as a 
linear mapping from the 'input' space F^ to the 'output' 
(or encoded) subspace of FJ^, see the top of our diagram 
(mapping 1) in Fig. [I] 

We use the elements a; € F^ to label the basis vectors 
of J^'^'^, the Hilbert space of k qudits, and denote the 
collection of the orthonormal basis vectors by {|£c)}a;eF'' j 
see the mapping 4 in Fig. [T] Similarly we embed the 
elements a; • G € F" into a subspace of the J^**" spanned 
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FIG. 1. A schematic for various embeddings used throughout 
the article. 



by the collection of orthonornial vectors {\x ■ G')}a;eF''j 
as depicted by mapping 2 in Fig. [l] Note that Jf®^ is 
isomorphic with Span{|a; • G)}j.^fk through an encoding 
isometry V , see the bottom of our diagram (mapping 3) 
in Fig. [ij In particular, the isometry V can be explicitly 
constructed from the generating matrix G using a simple 
quantum circuit that consists of Control-NOT gates; see 
§ 10.5.8 of [13 . 

We have all the ingredients to construct a quantum 
secret-sharing scheme as follows. A dealer holds a k- 
qudit quantum secret 



(2) 



with c{x) normalized complex coefficients. The secret is 
then distributed to a set of n players using the isometric 
encoding V , so the state shared by the players is 



(3) 



We next design a decoding protocol in which all n play- 
ers have to collaborate; however, just a proper subset A 
of the entire set of players P is required to use local op- 
erations and classical communication (LOCC) with the 
complementary subset B. The latter subset can then 
fully recover the quantum secret. Our scheme is de- 
picted in Fig. [2] Our secret-sharing scheme is imperfect 
(or 'ramp'), i.e. there exist subsets of players that may 
extract partial information about the secret. However, 
we can transform it to a perfect (or 'threshold') quan- 
tum secret-sharing scheme via 'twirling' and allowing the 
dealer to share extra classical communication channels 
with the players [15l [16] . 



Deflnition. A subset A of the entire set of players P 
is LOCC-assisting for its complement B whenever there 
exists an LOCC scheme that A can perform, followed by 
sending the measurement results to B, so that B can fully 
recover the quantum secret. 

Inspired by the CSS construction, we employ the con- 
cept of embedding a classical code into a quantum code. 




FIG. 2. LOCC-recoverable quantum secret-sharing. The 
dealer D encodes k qudits (filled in circles) in state \'4>) via 
the isometry V to realize the state |^'), then transmits it to 
the players P (with each player denoted by an empty circle) 
via quantum channels (solid lines indicate single-qudit chan- 
nels). The players in A perform local measurements and each 
one communicates via classical channels (dashed lines) with 
all players in B, who are all connected via quantum channels. 
Finally the players in B perform a global quantum operation 
to recover |i/>). 



but use the technique to construct a novel way of decod- 
ing quantum secret-sharing schemes. The most impor- 
tant outcome of our scheme is a drastic reduction of the 
number of inter-player quantum communication channels 
required for the decoding. Our main result is summarized 
below. 

Theorem 1. Let [n,k^d]q be a classical error- correcting 
code with generator matrix G, and let \^) be a k-qudit 
quantum secret distributed to a set of n players using the 
isometric encoding 



\x) 



G). 



(4) 



Let A be a subset of the carrier qudits, and let B de- 
note its complement. Let Gb be the matrix obtained by 
removing the columns that correspond to the players in 
B from G. Then the subset A is LOCC-assisting for its 
complement B if and only if 



rank(GB) — k. 



(5) 



Proof. Consider that each player in A performs a lo- 
cal measurement in the Fourier basis {|a;) = F\x)}x£¥gi 
where F is the generalized Fourier matrix defined as 

1 j^^i^'-)\z) {x\, := exp(27ri/p), (6) 



F := 



^/9 ^ 



where tr(a::) denotes the "trace" [171 HH] of an element 



tr : F„ 



i=0 



(7) 
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We denote by G the label of the measurement 
result of the fc-th player. For compactness we collect all 
measurement results that the players in A perform into 
a vector a G f!/^', where |^| represents the number of 
players in A. Let 



Tr^ [{\a){a\(g,lB)m 
\Tta [(|a)(a|®/B)|*>] 



(8) 



be the normalized resultant state of the remaining B 
players, given that the results of the measurements by A 
are a. From ^ all measurement results have the same 
probability, independent of the secret 1-0) in ([2]), 



p(a) = ||Tr^ [{\a){a\^lB)\mr = 



\A\ ■ 



(9) 



The resultant state on B, given the measurement result 
a, is 



I*; 



B.a — 



(10) 



xe¥^^ 



Note that rank(G'B) ^ fc, as Gs is obtained from the 
rank-fc generator matrix G by removing columns from 
the latter. 

If rank(GB) < k, the number of mutually orthogonal 
states in ( 10 1 is less than the dimension g*^ of the quan- 
tum secretfV') in or, equivalently, dim(span({|a; • 
GB)}xe¥'')) <dim(span({|a;)}3.g][rfc)). In this case it is 



impossible to map the state |^')B,a in (10) back to \'ip) 
by an isometry that does not depend on the coefficients 
c{x); there is not enough "space" to "fit" the secret lip) 
in the state |4')s,a and information is irreversibly lost 

[iniiin]- 

On the other hand the vectors {\x ■ GB)}xe¥'' a-re niu- 
tually orthogonal if and only if rank(GB) = k. In this 
latter case, the state \^)B,a can be mapped back to the 
original secret {ip) via a decoding isometry (that depends 
on the measurement results a) defined via 



(11) 

□ 



Our next result shows how to construct the above de- 
coding isometry explicitly. 

Theorem 2. Let A be an LOCC-assisting subset for its 
complement B. Then the decoding isometry for B is a 
product of a local unitary operation, which depends only 
on the measurement results a, and an isometry that de- 
pends only on the subset B. A corresponding decoding 
quantum circuit can be constructed explicitly. 

Proof. For some 2 G Fg consider the action of := 



on l^*) B.a in ( 10 ), where is the gen- 



eralized single-qudit Weyl-Heiscnberg operator [T71 [TS] 
defined as 



Z' := 



for z G F,. (12) 



The resultant state is 

Z^\^)B.a^ c(a;)cj-"-(^-^-*-"'')Z^|a?-Gi 



^ c(a;)a;-*''(^-^-^-°'''a;*''(^-^«-^^)|a; • Gb) 



= c(a;)w*4-(Gi5-^-GA-^)]|a..GB). (13) 

x&\ 

We now claim that there always exists a 2; G F^"''^' such 
that 



Gb ■ 2; = G A ' o, 



(14) 



As A is LOCC-assisting for B, Theorem [T] implies that 
rank(GB) = k. This fact implies that ( |l4| ) admits at least 
one solution z which can be found by elementary linear 
algebra methods over finite fields. Therefore, for such a 
solution 2, the operator Z^ eliminates all phases in (10) 



(15) 



which implies at once that the resultant state (15) can 
be mapped back to the original secret (|2| by an isometry 
Vb defined by 



la^-Gi 



(16) 



The overall recovery procedure can be written as VbZ^ , 
where Vb is independent of the measurement results and 
depends only on the subset _B, and Z^ is a local unitary 
correction that depends only on the measurement results 
a. The isometry Vb is the adjoint of the quantum cir- 
cuit that maps |a;) to \x ■ Gb), and can be constructed 
explicitly, similarly to the construction of the encoding 
isometry V . □ 

As our goal is to reduce the number of quantum com- 
munication channels among the players, we aspire to con- 
struct schemes in which the LOCC-assisting subsets A 
are as large as possible. The restriction \B\ ^ k must be 
satisfied, as otherwise information is lost and thus there is 
no way for B to recover the quantum secret faithfully |19| . 
We now show that there exist 'optimal' schemes for which 
\B\ — k, which requires the following Lemma. 

Lemma 3. Every subset B of size \B\ > n — d, where d 
is the distance of the underlying classical [n,k,d]q code, 
can fully recover the secret by LOCC assistance from 
its complement A. 

Proof. This follows at once as the distance d of the clas- 
sical code is 

d = l+max[rank(GB) = fc,VB with \B\=n-r], (17) 

r 

which is to say that one can arbitrarily remove at most 
d — \ columns from the generator matrix G without 
changing the rank of the resultant Gb- Therefore, the 
maximum r in (17) is d — 1, which implies that the mini- 
mum size oi B has to be at least n—{d—l) = n—d+l. □ 



4 



Lemma [S] implies at once that efRcient (in terms 
of quantum communication) LOCC-recoverable secret- 
sharing schemes are obtained from classical [n,k,d]g 
codes that maximize the distance for fixed n and k. Such 
an example is constituted by the class of maximum dis- 
tance separable (MDS) codes that achieve equality in the 
classical Singleton bound |13) . 



n — k = d — 1. 



Theorem 4. An MDS classical code [n, k,n — k + l]g 
induces a quantum secret-sharing scheme in which ev- 
ery subset B of size k or more can recover the quantum 
secret by LOCC assistance from its complement A. Fur- 
thermore, if \B\ = k, the scheme is optimal in terms of 
the number of quantum communication channels required 
among the players. 

Proof. The proof follows immediately from Lemma[3j □ 

We illustrate our formalism by a concrete example 
(simple enough to be worked out by hand). 

Example 1. Consider a classical repetition code [n — 
3,k = l,d = 3]2 with generator matrix G = (l 1 l) 
and note that this is an MDS code. The corresponding 
classical codewords 000 and 111 are embedded into two 
quantum states, |000) and |111), respectively. A secret 
\ip) = c(0)|0) -f c(l)|l) is distributed to three players as 
j^f) = c(0)|000) -hc(l)|lll). Theorem\^ implies that any 
subset B of size \B\ ^ 1 can recover the secret by re- 
quiring the players in A to perform measurements in the 
{|-|-), |— )} basis and then send the measurement results 
back to B. 

Without loss of generality assume that the players 1 
and 2 perform measurements, with measurement results 
fli G F2 and 02 G F2, respectively. The resultant state on 
the third player is 



l*){3},a=c(0)|0)-H(-l)"^®"=c(l)|l) 



(19) 



where denotes addition mod 2. Whenever ai and 02 
have the same parity, the third player does not have to do 
anything. When oi and 02 are different, then the third 



player has to apply a Z operator to remove the phase in 
(19). The combined effect can be achieved by player 3 



applying the operator Z"'^®'^^ . 

Applying directly our formalism, we have A — {1,2}, 
B — {3}, Ga = (1 1) andGs = (l). Using (10) we can 
write the resultant state \^){z},a after the measurement 
performed by the subset A in exactly the same form as 
(19). The operator the player B = {3} has to apply 



(18) 

can be found using (|14[) , which yields 



1 1 



(0.1 0.2) 



fli ® a2, 



(20) 



as shown below This example was first described in 

the seminal paper of Hillery et al ^Sl. 

The above scheme can be generalized at once to n > 3 
generalized GHZ states over larger alphabets by using a 
classical MDS repetition code [n, \ ,n\q over Fg with gen- 
erator matrix G ^ {\ 1 ... 1). The measurement 
basis is now replaced by the Fourier basis {\x)}xi£Wg- For 
a faithful decoding, the n-th player must apply the oper- 
ator Z^ , with z = ®,"^]^ Oi, where the sum is taken over 
the elements of¥q. 

In summary, we have developed a novel qudit quan- 
tum secret-sharing protocol in which we reduce the quan- 
tum communication overhead among the players by en- 
abling some quantum channels to be replaced by classi- 
cal ones. Our scheme is based on embedding a classical 
linear code into a quantum code, then using the latter 
for the actual construction of the protocol. The size of 
the LOCC-assisting subsets is determined entirely by the 
error-correcting properties of the classical code. 

As quantum secret-sharing schemes are a form of quan- 
tum error-correction, our results represent a first step to- 
wards attacking the challenging problem of minimizing 
the amount of quantum communication needed for de- 
coding the latter. 
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